Need Help Configuring Shibboleth for Remote Auth
cantor.2 at osu.edu
Fri Dec 11 12:48:56 EST 2015
On 12/11/15, 12:17 PM, "users on behalf of Cris Bettis" <users-bounces at shibboleth.net on behalf of cris.bettis at bettercarpeople.com> wrote:
>I'd like to configure Shibboleth to hand over control to this server, allow a user to log in and accept information back that allows it to continue the SAML conversation it started with another SP.
>Currently, it is looking like RemoteUser Authentication is the way to go here.
Not unless you have already integrated that authentication process with a web server. You can't just redirect over and back. That's SSO, that's a totally different kind of approach.
RemoteUser is container-mediated login to the IdP. Until you build authentication into your container, you aren't ready to even talk about using it with the IdP.
>Commented out all non RemoteUser methods in the general-auth.xml file.
That is not needed.
>I've updated this line in ```conf/authn/remoteuser-authn-config.xml``` with my server's url
Absolutely 100% no. That has to point to the servlet used by the IdP to pick up the REMOTE_USER or header value you're setting through some other mechanism. It CANNOT point to a different server, that wouldn't make any sense.
>The SP negotiates with Shibboleth correctly. And indeed Shibboleth will forward to this server. However, I cannot seem to pass back adequate credentials in a way Shibboleth understands.
This isn't about the IdP, this is about what it means to use a container-managed authentication process. You can't do that through the IdP. By definition it already must exist. All the IdP does is supply a flexible servlet to pick up the identify from a number of possible sources that you must already be populating outside the IdP.
More information about the users